The following example policy will automatically create a CloudWatch Event Rule
triggered Lambda function in your account and region which will be triggered
anytime a new S3 bucket is created in that region. The policy then applies
several configurations such as enabling the default S3 AES256 bucket encryption,
turns on object versioning, creates a s3 object lifecycle, enables logging on the
bucket, and tags the user that created the bucket. When using the toggle-logging
action as shown below you must make sure the s3 bucket the logs are getting sent
to already exists. Buckets can only send logs to logging buckets in the same region
as it so you may need to create multiple logging buckets per account if you use more
than 1 region. In the below example the logging buckets would be named using account
and region like the following: 0123456789012-us-east-1-s3-logs
The S3 bucket lifecycle will help to save S3 costs by getting rid of old object versions
and moving objects from standard storage class to infrequent access storage after 180
days in this example.

policies:-name:s3-configure-standards-real-timeresource:s3description:|This policy is triggered when a new S3 bucket is created and it appliesthe AWS AES256 Default Bucket Encryption, Tags the creators ID, enablesobject versioning, configures the bucket lifecycle and enables logging.mode:type:cloudtrailevents:-CreateBucketrole:arn:aws:iam::{account_id}:role/Cloud_Custodian_S3_Lambda_Roletimeout:200actions:-type:auto-tag-usertag:CreatorName-type:set-bucket-encryption-type:toggle-versioningenabled:true-type:toggle-loggingtarget_bucket:"{account_id}-{region}-s3-logs"target_prefix:"{source_bucket_name}/"-type:configure-lifecyclerules:-ID:company-s3-lifecycleStatus:EnabledFilter:Prefix:/Transitions:-Days:180StorageClass:STANDARD_IANoncurrentVersionExpiration:NoncurrentDays:35